Author
Topic: How to run Magic Lantern into QEMU?!... (Read 126457 times)

I've used a new hg tree under qemu to generate the diff. It's a bit ugly now; I'm thinking to modify the install script to store the new files as plain files, and use the patch only for modification to QEMU sources.

Edit: did these changes and some small additions:

- to emulate Canon firmware, without ML:./run_canon_fw.sh 600D

- to generate a diff or commit changes (say you have modified eos.c or added some script):./copy_back_to_contrib.sh then normal hg commands or gui in contrib/qemu

- to run the firmware in gdb:qemu-1.4.0/arm-softmmu/qemu-system-arm -M 5D3 -s -S in one terminalarm-elf-gdb -x gdbopts in another

6D is running in Qemu.. ML seemed to run but I did not see hello world in VNC. Ran the canon FW and debugger and it opened up stopping at ff0c0008.I guess this can be connected as debugger to ida or another disassembler?

It would be nice to also get it running on Windows though - of course I have Linux/whatever vms, but for ml I'd like to get around them on my puny laptop just like there is no need to use Linux to compile ml.

I can post the binary... the armmmu folder is only something like 20-30mb.... but I can't connect to it in windows, like it needs another patch to use the networking. The linux binary will only connect on localhost so I can't push it out to gdb over the network.

I changed the content of "run_ml_550D.sh" to "sh run_ml.sh 550D 109" (550 instead of 500)but it still won't work. The 550D is not listed under supported machines. I don't know if it's important and failure is caused by something else, or caused by my installation? Well I have no vram.txt as you see. Do you have any clue?

Feel free to turn it into something useful... like script interpreter, testing server, source-level debugger, HDMI emulator, support for image buffers, add a nice GUI... or just port it for your camera. I've only tested it on 5D3 1.1.3, and it's been already used to debug the early 100D ML port in GDB.

Works fine here for 6D. Needed to do some additional stuff like filename capitalization etc. I just ran into one last problem. I have somehow no write access - at least there's no "magic.cfg" saved neither "bench.ppm" nor are ROM dumps from debug menu written etc. Though qemu doesn't report an error on qemu monitor. It's just like qemu has write access to some nirvana place in memory....

Just had success in emulating the display test (on most cameras). On 6D, I had to emulate the bootloader as well (without it, the display init routine would get stuck).

To run the display test, look for the following "if (0)" and enable them:- "bootloader config, 4 bpp" -> required to run all boot display tests- "6D bootloader experiment" -> required for 6D; launch with ./run_canon_fw.sh 6D

More details:- it launches most Canon tasks- unmodified 60D firmware (without autoexec.bin or ROM patches) runs as well (and starts the GUI too)- SD card emulation also works (it loads autoexec.bin and even creates the DCIM directory on startup)- MPU emulation kinda works (it replays messages from a log file)- sample log: 60D-qemu-canon-gui-and-sd.log

Next steps:- emulate unmodified autoexec.bin- remove all those CONFIG_QEMU hacks- implement key events as MPU messages- CF emulation- enable the emulation for other cameras- do something about those huge logs- make the code more QEMU-ish and less hackish- write a quick start guide- do something useful with it

What's the use?- much easier to understand Canon firmware (you can see exactly what some piece of code does with the hardware)- very useful in diagnosing soft-bricked cameras- a way to debug your code (or Canon's) in a GUI (gdb or IDA)- test bench for Lua scripting or for module development- automated tests for the nightly builds (see also this proposal)

Some tips, until a more complete guide will be available:- to load a SD card image, use something like: ./run_canon_fw.sh 60D -sd sd.img- to display a trace of the firmware code, with disassembly, use: ./run_canon_fw.sh 60D -sd sd.img -d exec,int -singlestep- there is a monitor console as well: ./run_canon_fw.sh 60D -sd sd.img -monitor stdio